[ale] OT - making really strong pass phrases - was New encryption technology using a piece of paper
Ron Frazier
atllinuxenthinfo at c3energy.com
Tue Sep 6 21:13:40 EDT 2011
(I never saw this post to the list, so apologies if it posts twice. Ron)
Michael W.,
OK. I'm impressed. Assuming I did the math right, crack time is 98
thousand years with a 1000 pc botnet.
You've pretty much convinced me to use long simple pass phrases if I
have a choice, unless the website or application won't accept it.
Thanks for the info. Thanks also to Michael T. and others who joined in
the discussion.
Here are some numbers I thought everyone might like to consider.
Estimated offline crack time based on 1000 pc botnet running at 100
trillion guesses per second. Using a 2048 word lexicon and simple pass
phrase, giving 11 bits of entropy / word. Bigger answers are all in
days. To get these numbers (in days), take the power of 2 (# of
permutations) and divide by 8.64 x 10^18.
2 words - 2^22 permutations - 42 NANOSECONDS
3 words - 2^33 permutations - 86 MICROSECONDS
4 words - 2^44 permutations - 176 MILLISECONDS
5 words - 2^55 permutations - 360 SECONDS
6 words - 2^66 permutations - 8.54 days
7 words - 2^77 permutations - 17.49 thousand days = 47.92 years
8 words - 2^88 permutations - 35.82 million days = 98.14 thousand years
9 words - 2^99 permutations - 73.36 billion days = 200.98 million years
My take away from this is: if you want protection from a botnet, don't
even consider a pass phrase less than 6 words if using a 2048 word
lexicon. If you only want protection from a fast attack by a single
machine or small GPU array, multiply these crack times by 1000. Pass
phrases 5 words and less for this purpose are almost worthless.
Sincerely,
Ron
On 9/6/2011 5:17 PM, Michael H. Warfield wrote:
> Ah... That's the whole point. Yes you can go down this road and add
> complexity (and misery) to the process but you can accomplish the same
> task by adding words that are easy to read and process and much easier
> to support.
>
> Do the math again for 8 words. 88 bits of entropy.
>
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list